gh0strat | f5efa4fd95d202fa4a7b8840d765d80d542ef50f612df06eea5df91291ec4273

General

Target

94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe
Size

767KB
MD5

94e6c9d22463d83b4402d06db0a9d3ed
SHA1

7c4cab2177d575a5c31acdfb4e9d08840f3de713
SHA256

f5efa4fd95d202fa4a7b8840d765d80d542ef50f612df06eea5df91291ec4273
SHA512

64fe35390c7f7285057f323d248efbf9e6dec73d0d36bf107a8e9a14983aaa10ab02f978d84a585618d3e868bec8379a7a98a57710a1f20eccd64f0a438ab048
SSDEEP

12288:1gZNodYlG4wxdrzveiNzldJ5Pgd6a715amnGXP2AvsaCa1LcXceSpI1UmW2O9cD8:2Z6dYlG4yrzveiNzZSdx7naregw0Lcdu

Score

10^/10

gh0strat discovery evasion rat trojan upx

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224d-2.dat	family_gh0strat
behavioral1/memory/2776-4-0x00000000028F0000-0x0000000002916000-memory.dmp	family_gh0strat
behavioral1/memory/2680-10-0x0000000000400000-0x0000000000426000-memory.dmp	family_gh0strat
behavioral1/memory/2680-65-0x0000000000400000-0x0000000000426000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016e0d-33.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2680	1.exe
2712	逆向思维-QQ图标全能点亮器V2.1.exe

Loads dropped DLL 14 IoCs

pid	Process
2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe
2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe
2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe
2680	1.exe
2680	1.exe
2680	1.exe
2824	WerFault.exe
2824	WerFault.exe
2824	WerFault.exe
2824	WerFault.exe
2824	WerFault.exe
2824	WerFault.exe
2712	逆向思维-QQ图标全能点亮器V2.1.exe
2824	WerFault.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016e04-11.dat	upx
behavioral1/memory/2776-17-0x0000000002900000-0x0000000002A53000-memory.dmp	upx
behavioral1/files/0x0008000000016e0d-33.dat	upx
behavioral1/memory/2712-35-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2712-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2712-66-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-68-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-70-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-72-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-74-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-76-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-78-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-80-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-82-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-84-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-86-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-88-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-90-0x0000000000400000-0x0000000000553000-memory.dmp	upx
behavioral1/memory/2712-92-0x0000000000400000-0x0000000000553000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	逆向思维-QQ图标全能点亮器V2.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2824	2680	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	逆向思维-QQ图标全能点亮器V2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	逆向思维-QQ图标全能点亮器V2.1.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2712	逆向思维-QQ图标全能点亮器V2.1.exe
2712	逆向思维-QQ图标全能点亮器V2.1.exe
2712	逆向思维-QQ图标全能点亮器V2.1.exe
2712	逆向思维-QQ图标全能点亮器V2.1.exe
2712	逆向思维-QQ图标全能点亮器V2.1.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2680	2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2680	2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2680	2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2680	2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2680	2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2680	2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2680	2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2712	2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2712	2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2712	2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2712	2776	94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2824	2680	1.exe	32
PID 2680 wrote to memory of 2824	2680	1.exe	32
PID 2680 wrote to memory of 2824	2680	1.exe	32
PID 2680 wrote to memory of 2824	2680	1.exe	32
PID 2680 wrote to memory of 2824	2680	1.exe	32
PID 2680 wrote to memory of 2824	2680	1.exe	32
PID 2680 wrote to memory of 2824	2680	1.exe	32

C:\Users\Admin\AppData\Local\Temp\94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94e6c9d22463d83b4402d06db0a9d3ed_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2824
- C:\Users\Admin\AppData\Local\Temp\逆向思维-QQ图标全能点亮器V2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\逆向思维-QQ图标全能点亮器V2.1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\1.exe

Filesize
134KB

MD5
598cbd61b86b3e5ff1b2bbc0455c96e6

SHA1
1a1f7c938685d4125bfa9e9588904be54620f804

SHA256
f48f8c9fded98718b048707000d7d696a6af9172f982d31188b9c48efd601f29

SHA512
549c4842436dc13e7bb4a23485ac643ba8c21eb6f227123b0ae25cb13a924c6074ed7017b0f678f19da6f3cd2931197b73f263c56d8c8738b80af6ee8126fd27

Download Submit
\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
114054313070472cd1a6d7d28f7c5002

SHA1
9a044986e6101df1a126035da7326a50c3fe9a23

SHA256
e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

SHA512
a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

Download Submit
\Users\Admin\AppData\Local\Temp\逆向思维-QQ图标全能点亮器V2.1.exe

Filesize
673KB

MD5
9980b559b20d5a75b0b18b42905a37e5

SHA1
df9117cd8967bae26b2810d0fddd07fbcd708bd8

SHA256
188a719108610de0b06fa4644dfe3e7485505808a9db8ed8518e64e5cb6336f5

SHA512
2169fc4ece60c333f3eabebe6df883e538cbedb0c546390768dacf50ebc3f58c8d89553fa3e6bcab4a05bcc57c3829b1774a0eedd55fca9f64d3d01ce5d66837

Download Submit
memory/2680-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2680-65-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2680-21-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/2712-70-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-76-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-92-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2712-66-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-68-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-90-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-72-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-74-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-35-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2712-78-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-80-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-82-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-84-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-86-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2712-88-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2776-4-0x00000000028F0000-0x0000000002916000-memory.dmp

Filesize
152KB

Download
memory/2776-17-0x0000000002900000-0x0000000002A53000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing